Comprehensive guide to securing virtual care delivery, patient devices, and remote location communications
Quick Answer
Telehealth providers face unique HIPAA risks including use of non-compliant consumer video platforms without BAAs, inadequate session encryption, unencrypted recording and archiving, patient devices lacking security controls, unencrypted home networks exposing data transmission, inadequate patient privacy education, background disclosure risks in home settings, unsecured WiFi in remote provider locations, improper third-party sharing of session recordings, and failure to conduct risk assessments for telehealth infrastructure. Telehealth breaches average $195,000 in settlements, with platform vendor breaches affecting multiple providers. Average total risk exposure across all top 10 risks exceeds $1.6 million.
Many telehealth providers use consumer-grade video platforms (Zoom, WhatsApp, FaceTime, Google Meet) without Business Associate Agreements, HIPAA-specific security controls, or end-to-end encryption. These platforms may store unencrypted meeting data on servers, lack audit logging, allow screen sharing with unprotected PHI, and retain data beyond session completion. Even platforms offering "HIPAA mode" lack formal compliance guarantees without signed BAAs.
Mitigation Steps
- Use only HIPAA-compliant telehealth platforms with signed Business Associate Agreements, end-to-end encryption, and documented security assessments
- Verify platform compliance certifications (HIPAA, SOC 2, BAA); maintain documentation of security features and conduct vendor security reviews annually
- Prohibit use of consumer platforms; establish policy requiring encrypted platforms with audit logging and session data minimization
OCR Enforcement Reference:
OCR fined healthcare providers $400,000+ for using Zoom without business associate agreement for telehealth sessions; emphasized need for compliant platforms.
Many telehealth platforms implement server-side encryption that allows platform administrators access to unencrypted session content. Sessions transmitted without TLS 1.2+ encryption expose PHI to network interception. Patient diagnostic information, treatment plans, and clinical details discussed during sessions are vulnerable if not properly encrypted from endpoint to endpoint. Platform key management and encryption configuration are often inadequate.
Mitigation Steps
- Require true end-to-end encryption (E2E) for all telehealth sessions where neither platform nor provider can access unencrypted conversation content
- Configure platforms to mandate TLS 1.2+ for all data transmission; disable unencrypted fallback options and verify encryption status before initiating sessions
- Test encryption configuration quarterly with IT security verification; maintain documentation of encryption certificate validity and key rotation procedures
Real-World Example:
A telehealth provider used platform without E2E encryption; network packet analysis intercepted patient psychiatric diagnoses during session; breach affected 3,000+ patients; settlement: $275,000.
Telehealth sessions are frequently recorded for quality assurance, training, or documentation without patient consent and without encryption. Recording files containing full patient conversations, diagnoses, and treatment discussions are stored on unsecured servers, personal computers, or shared drives. Recordings lack access controls, are retained beyond clinical need, and are vulnerable to unauthorized access. Many providers fail to obtain explicit written consent for recording as required by state wiretapping laws.
Mitigation Steps
- Obtain explicit written patient consent before any recording; provide clear disclosure of what will be recorded, who can access recordings, and retention periods
- Store all recordings with AES-256 encryption in platform-secured repositories; disable local device recording and prohibit downloads to uncontrolled storage
- Implement automatic recording deletion based on clinical need (e.g., 30 days for quality review, then automatic destruction); maintain audit logs of recording access and deletion
OCR Enforcement Reference:
OCR investigated telehealth provider recording sessions without encryption or patient consent; settlement: $300,000 with requirements for consent procedures and encrypted storage.
Patients typically join telehealth sessions from personal devices that lack security controls, encryption, updated operating systems, and malware protection. Patient devices may have weak passcodes, cached credentials, and unencrypted storage of session recordings. Many patients use shared family devices or public computers for healthcare visits, exposing PHI to unauthorized access. Providers have limited ability to control patient-side security but remain liable for breaches originating from unencrypted patient devices.
Mitigation Steps
- Provide patient device security guidance before telehealth sessions; recommend connecting only from password-protected personal devices with current OS and antivirus
- Offer telehealth app (not web-based) with additional security controls; configure app to disable screenshots, recording, and caching of session content
- Include device security requirements in patient consent forms; document patient acknowledgment and advise against using shared or public devices for healthcare visits
Real-World Example:
Patient joined telehealth session from shared family tablet infected with malware; malware captured video and audio of psychiatric consultation; 200+ patients' sessions potentially compromised; settlement: $185,000.
Many patients connect to telehealth sessions through home WiFi networks that lack encryption (WPA2/WPA3), use default router credentials, or are improperly configured. Unencrypted home networks allow nearby attackers to intercept traffic including video, audio, and data. Many residential WiFi networks broadcast SSIDs, use weak passwords, or lack even basic security configuration. Providers and patients often connect through shared family networks without understanding network-level security implications.
Mitigation Steps
- Educate patients on home network security; provide guidance on configuring WPA3 encryption, strong router passwords, and disabling WPS
- Recommend VPN usage for patients on shared networks; provide VPN options or guidance on configuring VPN before telehealth sessions
- For providers, require VPN connection and prohibition of telehealth from public WiFi networks; implement network monitoring to detect and log network-level security incidents
Real-World Example:
Patient's unencrypted home WiFi allowed roommate to intercept telehealth session; roommate publicly disclosed patient's HIV-positive status; privacy complaint filed; settlement: $145,000.
Patients often conduct telehealth sessions in shared home environments where family members, roommates, or children may overhear conversations or observe screens. Providers frequently fail to educate patients about privacy precautions or verify that patients are in private locations during sessions. Many telehealth visits occur with family members present without patient consent to sharing PHI. Background disclosures during video sessions expose medications, diagnoses, treatment plans, and billing information visible on screens.
Mitigation Steps
- Include pre-appointment instructions requiring patient to be in private location for session; verify privacy status at start of each telehealth visit
- Educate patients on camera/background awareness; advise closing doors, minimizing background visibility, and positioning device to prevent third-party viewing
- Implement privacy mode on telehealth app showing minimal background; require background blur or virtual backgrounds for all provider video sessions
Real-World Example:
Telehealth session conducted with patient's spouse present; spouse learned of patient's bipolar disorder diagnosis and mental health medications without authorization; complaint filed; settlement: $125,000.
Many telehealth providers work remotely from home, coffee shops, or other unsecured locations using unencrypted WiFi networks. Public and home WiFi lacks appropriate network security, firewalls, and intrusion detection. Providers accessing patient records and conducting sessions from unsecured locations expose PHI to interception. Provider home offices often lack secure storage of patient information, proper screen visibility controls, and background privacy. Multiple providers may share office spaces or home networks without proper network segregation.
Mitigation Steps
- Require VPN usage for all provider remote telehealth work; prohibit patient access from public WiFi or shared office networks without personal VPN
- Implement home office security policy requiring private location, locked doors, monitor privacy screens, and proper disposal of printed patient information
- For providers working in shared spaces, implement network isolation and require two-factor authentication for all EHR and telehealth platform access
Real-World Example:
Telehealth provider accessed patient records and conducted sessions from unsecured public WiFi at coffee shop; network traffic intercepted; 500+ patient records potentially exposed; settlement: $210,000.
Telehealth recordings are sometimes shared with third parties (supervisors, consultants, quality assurance reviewers) without proper patient authorization. Recordings may be transferred via email, shared drives, or external services without encryption. Records are forwarded to training programs, research entities, or other providers without documented consent. Recordings persist in email archives and backup systems long after clinical use, creating extended breach risk.
Mitigation Steps
- Obtain specific written patient authorization for any recording sharing; separate authorization for supervision, quality assurance, and training use
- Share recordings only through secure encrypted platforms with access logging; prohibit email transfer or download to personal devices
- Maintain recording access log documenting who accessed which recordings for what purpose; conduct quarterly audits and remove access for individuals no longer needing recordings
Real-World Example:
Supervisor emailed unencrypted telehealth recording to consultant at external university without patient consent; recording included sensitive mental health disclosures; patient discovered sharing; settlement: $165,000.
Many providers implement telehealth without conducting HIPAA risk assessments specific to telehealth environments. Risk assessments may not address patient device security, home network exposure, platform encryption, or remote provider location vulnerabilities. HIPAA Security Rule requires documented risk assessments before implementing new systems; many telehealth implementations lack formal assessment documentation. Annual assessments often fail to address evolving telehealth-specific threats.
Mitigation Steps
- Conduct comprehensive HIPAA risk assessment specifically addressing telehealth infrastructure before implementation; document all risks identified and mitigation controls
- Include in assessment: platform security, encryption, patient device risk, network risk, recording risk, third-party vendor risk, and remote provider location risk
- Conduct annual updates to telehealth risk assessment; include emerging threat assessment and test controls effectiveness through penetration testing or security audits
OCR Enforcement Reference:
OCR cited provider for lack of HIPAA risk assessment for telehealth implementation; investigation revealed multiple security gaps that should have been identified; settlement included assessment requirement.
Many telehealth platforms are hosted by vendors that experience security breaches affecting multiple provider organizations simultaneously. Providers often lack formal vendor security assessment procedures, vendor breach notification agreements, or incident response plans for platform breaches. Vendor agreements may not include HIPAA liability allocation, incident response timelines, or notification obligations. Providers may not monitor vendor security updates or know about platform vulnerabilities affecting their data.
Mitigation Steps
- Require vendor Business Associate Agreements with HIPAA liability provisions, breach notification timelines (within 24 hours), and incident response procedures
- Conduct annual vendor security assessment; require vendors to provide SOC 2 Type II audit reports, penetration test results, and vulnerability disclosure history
- Establish vendor monitoring procedures to track security patches, vulnerability disclosures, and breach announcements; maintain contact info for security notifications
Real-World Example:
Major telehealth platform vendor experienced breach affecting 15 providers; 50,000+ patient records exposed; providers weren't notified for 3 months; OCR conducted investigations of multiple affected providers for inadequate vendor risk management.
Total Estimated Risk Exposure Calculator
Maximum Combined Penalty Range Across All Top 10 Risks
$1,495,000
Based on aggregated penalty ranges for all identified telehealth-specific risks. Actual penalties depend on breach scope, number of affected patients, and provider's prior compliance history. Multi-provider platform breaches can exceed these amounts significantly.
Get Your Comprehensive Security Risk Analysis
Medcurity security experts will evaluate your telehealth infrastructure, assess platform compliance, review patient and provider security controls, and provide prioritized remediation roadmap for secure virtual care delivery.
Schedule Your Risk Analysis